Menu

Thursday, 10 April 2014

The 'Heartbleed' is security flaw in the OpenSSL which is widely used to encrypt web communication. The 'Heartbleed' allows anyone to get a copy of the server's memory where sensitive data is stored like username, passwords and even credit card numbers. It even provides security for applications like Email and Instant Messaging.

OpenSSL is an open source encryption standard toolkit implementing the SSL (Secure Socket Layer) and TLS (Transport Layer Security) and a full strength general purpose cryptography library. Most popular open source web server like Apache and nginx which having a combined of more than two-third of the market share uses OpenSSL. The sites running on these web servers are being affected.

Heartbleed is the informal name for CVE-2014-0160. The bug is actually in the OpenSSL's implementation of the TLS heartbeat extension from where it derives its informal name. Heartbeat to Heartbleed - Ironic. Isn't it?

Heartbleed flaw allows anyone to get information from the server memory allowing them to fetch important and confidential data like Username, Passwords, Credit card numbers. Heartbleed even gives the attacker a possibility of securing the Private keys used to decrypt the encrypted messages. The attacker can then use this Private Key to read whatever is being done in the encrypted form.

The leaked security allow attacker to decrypt any past and future messages and impersonate the service at will. This leak can be recovered by patching up the vulnerability and re-issuing, redistributing new keys and revoking the compromised keys. Recovery from the leaked Usernames and passwords requires the services to patch up the vulnerability and asking user to change their usernames and passwords and possible encryption keys. All session keys and cookies should be considered affected and must be destroyed.

OpenSSL is the most popular open source cryptographic library and you are likely to be affected by it. The flaw has been there for two years and since it leaves no traces, you may assume your accounts be compromised. You should change your passwords to the services that uses your confidential information like credit card numbers. There is a need to remove this vulnerability.